LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


O'Reilly Book Excerpts: Linux Security Cookbook

Secure Cooking with Linux, Part 1

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

Editor's note: The authors of Linux Security Cookbook have selected a number of recipes from their book to present here. These recipes are organized into basic, intermediate, and advanced categories. This week's set consists of three recipes of a basic flavor. Over the next two weeks we'll present the intermediate and then advanced recipes. There'll be something for everyone here. Enjoy.

Recipe 6.4: Authenticating by Public Key (OpenSSH)

Author's note: SSH is a protocol for secure, remote logins and file copying; and OpenSSH, provided with most Linux distributions, is its most popular implementation. This recipe, selected from Chapter 6 on "Protecting Outgoing Network Connections," shows you how to use public-key authentication to prove your identity to a remote OpenSSH server, a technique more secure than using login passwords.

Problem

You want to set up public-key authentication between an OpenSSH client and an OpenSSH server.

Solution

  1. Generate a key if necessary:

    $ mkdir -p ~/.ssh  If it doesn't already exist
    $ chmod 700 ~/.ssh
    $ cd ~/.ssh
    $ ssh-keygen -t dsa
  2. Copy the public key to the remote host:

    $ scp -p id_dsa.pub remoteuser@remotehost:
    Password: ********
  3. Log into the remote host and install the public key:

    $ ssh -l remoteuser remotehost
    Password: ********
    
    remotehost$ mkdir -p ~/.ssh If it doesn't already exist
    remotehost$ chmod 700 ~/.ssh
    remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys  (Appending)
    remotehost$ chmod 600 ~/.ssh/authorized_keys
    remotehost$ mv id_dsa.pub ~/.ssh Optional, just to be organized
    remotehost$ logout
  4. Log back in via public-key authentication:

    $ ssh -l remoteuser remotehost
    Enter passphrase for key '/home/smith/.ssh/id_dsa': ********

Tip

OpenSSH public keys go into the file ~/.ssh/authorized_keys. Older versions of OpenSSH, however, require SSH-2 protocol keys to be in ~/.ssh/authorized_keys2.

Discussion

Public-key authentication lets you prove your identity to a remote host using a cryptographic key instead of a login password. SSH keys are more secure than passwords because keys are never transmitted over the network, whereas passwords are (albeit encrypted). Also, keys are stored encrypted, so if someone steals yours, it's useless without the passphrase for decrypting it. A stolen password, on the other hand, is immediately usable.

An SSH "key" is actually a matched pair of keys stored in two files. The private or secret key remains on the client machine, encrypted with a passphrase. The public key is copied to the remote (server) machine. When establishing a connection, the SSH client and server perform a complex negotiation based on the private and public key, and if they match (in a cryptographic sense), your identity is proven and the connection succeeds.

To set up public-key authentication, first create an OpenSSH key pair, if you don't already have one:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/smith/.ssh/id_dsa): <RETURN>
Enter passphrase (empty for no passphrase): *******
Enter same passphrase again: *******
Your identification has been saved in id_dsa
Your public key has been saved in id_dsa.pub.
The key fingerprint is: 76:00:b3:e8:99:1c:07:9b:84:af:67:69:b6:b4:12:17 
   smith@mymachine

Copy the public key to the remote host using password authentication:

$ scp ~/.ssh/id_dsa.pub remoteuser@remotehost:
Password: *********
id_dsa.pub      100% |*****************************|     736    00:03

Log into the remote host using password authentication:

$ ssh -l remoteuser remotehost
Password: ********

If your local and remote usernames are the same, you can omit the -l remoteuser part and just type ssh remotehost.

On the remote host, create the ~/.ssh directory if it doesn't already exist and set its mode appropriately:

remotehost$ mkdir -p ~/.ssh
remotehost$ chmod 700 ~/.ssh

Then append the contents of id_dsa.pub to ~/.ssh/authorized_keys:

remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys    (Appending)
remotehost$ chmod 600 ~/.ssh/authorized_keys

Log out of the remote host and log back in. This time you'll be prompted for your key passphrase instead of your password:

$ ssh -l remoteuser remotehost
Enter passphrase for key '/home/smith/.ssh/id_dsa': *******

and you're done! If things aren't working, rerun ssh with the -v option (verbose) to help diagnose the problem.

The SSH server must be configured to permit public-key authentication, which is the default:

/etc/ssh/sshd_config:
PubkeyAuthentication yes If no, change it and restart sshd

For more convenience, you can eliminate the passphrase prompt using ssh-agent [Recipe 6.9] and create host aliases in ~/.ssh/config. [Recipe 6.12]

See Also

ssh(1), scp(1), ssh-keygen(1).

SSH-2 Key File Formats

The two major implementations of SSH—OpenSSH and SSH Secure Shell ("SSH2")—use different file formats for SSH-2 protocol keys. (Their SSH-1 protocol keys are compatible.) OpenSSH public keys for the SSH-2 protocol begin like this:

ssh-dss A9AAB3NzaC1iGMqHpSCEliaouBun8FF9t8p...

or:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA3DIqRox...

SSH Secure Shell public keys for the SSH-2 protocol look like this:

---- BEGIN SSH2 PUBLIC KEY ---- 
AAAAB3NzaC1kc3MAAACBAM4a2KKBE6zhPBgRx4q6Dbjxo5hXNKNWYIGkX/W/k5PqcCH0J6 ...
---- END SSH2 PUBLIC KEY ----

These keys are installed differently too. For OpenSSH, you insert your public keys into the file ~/.ssh/authorized_keys. For SSH Secure Shell, you copy your public key files into the directory ~/.ssh2 and reference them in the file ~/.ssh2/authorization by name:

Key public_key_filename

As for private keys, OpenSSH has no special requirements for installation, but SSH Secure Shell does. You must reference them in the file ~/.ssh2/identification by name:

IdKey private_key_filename

Pages: 1, 2, 3

Next Pagearrow




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: